Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 across waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules.
Packages
Indicators
- domain 204.10.194.247communicates-with
- ipv4 204.10.194.247communicates-with
- sha256 4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5aindicates
- email john@taohunter.aiexfiltrates-to
- email johnceballos0716@gmail.comexfiltrates-to
- url ws://204.10.194.247:9877communicates-with
- url http://204.10.194.247:8765communicates-with
- sha256 4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09findicates
- sha256 8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeefindicates
- email jacksonkaandorp2@outlook.comindicates
- domain taohunter.aicommunicates-with
- file_path ~/.config/systemd/user/forge-js-worker.servicedrops
- file_path ~/.config/autostart/forge-js-worker.desktopdrops
- file_path ~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1546 Event Triggered Executionuses
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1005 Data from Local Systemuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1082 System Information Discoveryuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1020 Automated Exfiltrationuses
